What Is 42 CFR Part 2? Confidentiality of Substance Use Disorder (SUD) Patient Records Explained

Federal Regulation Overview

42 CFR Part 2 is the federal rule that protects the confidentiality of SUD treatment records. It sets strict patient information disclosure restrictions to prevent stigma, discrimination, and legal exposure, while still enabling safe, coordinated care. If you create, receive, or maintain SUD treatment information, these treatment records privacy requirements likely apply to you.

HHS updated Part 2 in a 2024 Final Rule to align key provisions with HIPAA and the HITECH Act. The rule became effective on April 16, 2024, and compliance has been required since February 16, 2026. In short, you must now treat Part 2 records under a unified framework that balances Substance Use Disorder Confidentiality with modern care-delivery needs.

Scope of Applicability

Part 2 applies to any “Part 2 program,” meaning a program that both holds itself out as providing—and actually provides—SUD diagnosis, treatment, or referral for treatment, and is “federally assisted.” Federally assisted programs compliance typically includes organizations that receive federal funds, participate in Medicare, hold a DEA registration to dispense controlled substances for SUD treatment, operate under a federal license or certification, or benefit from federal tax-exempt status.

Coverage spans specialty SUD clinics (including opioid treatment programs), units within general hospitals, school-based or community programs, employee assistance programs, and private practitioners who publicly represent SUD services. It also extends certain obligations to people and organizations that receive Part 2 records (lawful holders), such as HIPAA covered entities, business associates, qualified service organizations, intermediaries, and third‑party payers.

Important nuances: you are not required to segregate or segment Part 2 data in an EHR when you receive it based on a single TPO consent. Providers that are not Part 2 programs may document SUD information in their own records without automatically converting those records into Part 2 records. Specific statutory regimes may govern VA and Uniformed Services records separately.

Patient Consent Requirements

Except for limited exceptions (for example, medical emergencies or certain court orders), you need written patient consent to use or disclose Part 2 records. A valid consent must include at least the following elements:

• Patient’s name and the person(s) authorized to disclose the information.
• Specific, meaningful description of the information to be used or disclosed.
• The recipient(s) (or class of recipients). For a single TPO consent, this may reference treating providers, health plans, third‑party payers, and people who help operate the program.
• Purpose of the disclosure (for example, “treatment, payment, and health care operations” or “at the request of the patient”).
• Right to revoke and how to revoke, plus any reliance already taken.
• Expiration date or event (for TPO, “end of treatment” or “none” is acceptable).
• Patient’s signature and date (and, when applicable, an authorized representative’s signature).
• Statements required for TPO consents, including the possibility of redisclosure under HIPAA and consequences of refusing to sign.

Under the 2024 Final Rule, SUD counseling notes (the clinician’s separate, personal analysis of a counseling session) require a separate, specific consent and cannot be disclosed based on a broad TPO consent. You may not combine consent for use in legal proceedings with any other consent. Each disclosure made with consent must include a copy of the consent or a clear explanation of its scope.

2024 Final Rule Updates

• Single TPO consent and redisclosure: Patients may sign one consent for future treatment, payment, and health care operations. Covered entities and business associates that receive records under this consent may redisclose them as HIPAA permits, except for use in legal proceedings against the patient.
• Public health and de-identification: You may disclose de-identified data to public health authorities without consent when de-identified to HIPAA standards.
• Use in legal proceedings: Part 2 further restricts use of SUD records in civil, criminal, administrative, and legislative proceedings against a patient without consent or a qualifying court order.
• Enforcement alignment: Penalties and HHS enforcement policies are aligned with HIPAA, replacing the old criminal-only model with HIPAA’s civil and criminal framework.
• Breach Notification Requirements: The HIPAA Breach Notification Rule now applies to breaches of unsecured Part 2 records.
• Patient rights: New rights include requesting restrictions on certain disclosures and obtaining an accounting of disclosures (with the accounting compliance date tied to future HIPAA updates).
• Administrative updates: No requirement to segment Part 2 data; a new right to opt out of fundraising communications; strengthened safe harbor steps for investigative agencies; ability to file complaints directly with HHS.
• Timeline: Effective date—April 16, 2024; compliance date—February 16, 2026.

Enforcement and Penalties

HHS’s Office for Civil Rights now administers and enforces Part 2. OCR uses the HIPAA Enforcement Rule processes—investigations, compliance reviews, and resolution agreements—to address noncompliance. As of February 16, 2026, anyone may file a Part 2 complaint with OCR.

Violations can trigger civil penalties for violations under HIPAA’s tiered structure, scaled by culpability, cooperation, and remediation factors. Intentional wrongful disclosures may also implicate criminal liability. The rule also introduces a safe harbor that limits civil or criminal liability for investigative agencies that exercise defined due diligence before demanding records and follow specified steps if they later discover they received Part 2 records without the required court order.

Patient Rights and Protections

Part 2 preserves strong protections while enabling coordinated care. You cannot use Part 2 records to investigate or prosecute a patient without consent or a compliant court order. Patients gain rights to request restrictions on certain disclosures and to obtain an accounting of disclosures (with timing tied to HIPAA updates). Fundraising communications must include a clear opt‑out.

SUD counseling notes receive heightened protection and require separate consent. Patients may also submit complaints directly to HHS, reinforcing accountability and transparency in how you handle Part 2 information.

Breach Reporting Obligations

Part 2 programs must follow the HIPAA Breach Notification Rule for breaches of unsecured Part 2 records. If a breach occurs, you must notify affected individuals without unreasonable delay and no later than 60 days after discovery, include required content (what happened, what information was involved, steps you are taking, and how individuals can protect themselves), and offer appropriate support.

You must also report to the HHS Secretary (immediately for incidents affecting 500 or more individuals, and annually for smaller breaches) and notify prominent media when a breach affects 500 or more residents of a state or jurisdiction. Ensure your qualified service organization and business associate agreements obligate partners to report incidents to you promptly so you can meet these timelines.

FAQs.

What types of programs does 42 CFR Part 2 cover?

Part 2 covers programs that hold themselves out as providing—and actually provide—SUD diagnosis, treatment, or referral for treatment, and are federally assisted. This includes specialty SUD clinics, hospital-based programs, school and community programs, employee assistance programs, and private practitioners meeting the definition.

How does the 2024 Final Rule affect patient consent under Part 2?

Patients can now give a single consent for future treatment, payment, and health care operations, and HIPAA covered entities and business associates may redisclose received records as HIPAA allows—except for legal proceedings against the patient. SUD counseling notes require separate consent, and you cannot combine legal‑proceedings consent with other purposes.

What are the penalties for violating Part 2 confidentiality?

Penalties align with HIPAA’s enforcement framework. OCR may impose tiered civil money penalties and, in certain circumstances, criminal liability may apply. Factors include the nature and extent of the violation, harm caused, and your cooperation and remediation efforts.

How must breaches of Part 2 protected records be reported?

You must follow HIPAA’s breach rule: notify affected individuals without unreasonable delay (no later than 60 days after discovery), report to HHS, and, for large breaches, notify the media. Ensure partners under QSO or business associate agreements promptly report incidents to you so you can meet these obligations.